FILE: LOG_003 | CLASS: THREAT_INTEL | AUTHOR: NAS-982-202-ALPHA | DATE: 2025-10-02

Signal vs. Noise: Actionable Intelligence

Raw data isn’t intelligence. The job of an analyst is to make leadership care about the right twelve alerts out of ten thousand.

MITRE ATT&CKCTIIOCSOCREPORTING

// TL;DR

Threat intelligence fails when it stops at the indicator. Real CTI is a pipeline: collect → contextualize → map → decide → report. This post walks the F3EAD-style loop I use, how to score IOCs honestly, and how to write the one-paragraph briefing that survives contact with an executive.

// The Core Problem

Most “threat intel” feeds are firehoses of IPs, hashes, and domains with no context. They generate alerts. They do not generate decisions. The analyst’s job is the bridge between the two.

An IOC that says “185.x.x.x — malicious” tells you nothing actionable. An IOC that says “185.x.x.x — APT-style C2 used in Q3 healthcare campaigns; observed in our DNS logs 14 minutes ago; no current control blocks it” — that’s intelligence.

// The F3EAD Loop (Adapted for SOC)

FIND

Collect from feeds, ISACs, internal telemetry, OSINT.

FIX

Validate, deduplicate, score for confidence and relevance.

FINISH

Block, hunt, escalate — turn intel into a control or a ticket.

EXPLOIT

Pivot from one IOC to the campaign behind it.

ANALYZE

Map TTPs to MITRE ATT&CK; identify defense gaps.

DISSEMINATE

Right report, right audience, right verb.

// Scoring IOCs Without Lying to Yourself

Every indicator gets two scores from me: confidence (how sure am I this is hostile?) and relevance (does it touch our environment?). The matrix decides the action:

HIGH confidence + HIGH relevance: block, hunt, page on-call.
HIGH confidence + LOW relevance: block, log, no escalation.
LOW confidence + HIGH relevance: hunt, do not block. Tune detections.
LOW confidence + LOW relevance: archive. Stop wasting watch-floor cycles.

// FROM THE WATCH FLOOR

The fastest way to burn an analyst out is to make them treat low-confidence, low-relevance feeds as P1. Triage discipline is a wellness control as much as a security one.

// Mapping to MITRE ATT&CK

An IOC dies in 30 days. A behavior lives forever. When I see activity, I want the technique ID, not just the indicator. T1059 (Command and Scripting Interpreter), T1071 (Application Layer Protocol), T1486 (Data Encrypted for Impact) — these are persistent vocabulary across vendors and incidents.

Mapping to ATT&CK lets you do three things you can’t do with raw indicators:

Coverage analysis: what techniques can our detections actually catch?
Gap reporting: what are we blind to, and what does that mean for risk?
Trend tracking: are we seeing more credential access (TA0006) this quarter, or more impact (TA0040)?

// The One-Paragraph Briefing

Executives don’t need your full report. They need the paragraph. The format I use:

// THREAT BRIEF — YYYY-MM-DD

WHO: [Actor / cluster / unknown]
WHAT: [Activity in plain language]
SO WHAT: [Business impact if it lands]
NOW WHAT: [Specific action being taken / requested]
CONFIDENCE: [HIGH / MED / LOW]

Five lines. No jargon. No CVEs without context. If you can’t fit the brief into this template, you don’t understand the threat well enough to brief it yet.

// Common Failure Modes

Indicator hoarding: blocking everything from a feed and calling it a strategy. Now you have 500K IPs in a list nobody owns.
No feedback loop: the SOC consumes intel but never tells the CTI team which indicators paid off. The pipeline doesn’t get smarter.
Reporting in a vacuum: writing for analysts when the audience is leadership. Or vice versa. Match the verb to the reader.
Confidence inflation: calling everything HIGH because the vendor said so. Score independently or score nothing.

// Closing

Signal is what changes a decision. Noise is everything else. As an analyst, the most valuable thing I produce is not a dashboard or a report — it’s a shorter list of things leadership has to think about, each of which is true and actionable. Everything else is overhead.

<< PREV: ZERO TRUST NEXT: HUNTING IN SPLUNK >>